git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1674048 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673942 13f79535-47bb-0310-9956-ffa450edef68

* Use the correct server name for SNI in case the backend SSL connection itself
  is established via a proxy server.

PR: 57139
Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673941 13f79535-47bb-0310-9956-ffa450edef68

ssl_util: Fix possible crash (free => OPENSSL_free) and error path leaks when
checking the server certificate constraints (SSL_X509_getBC()).



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673940 13f79535-47bb-0310-9956-ffa450edef68

    PR 57379: If mod_cgi and mod_cgid get installed,
    use IfModule for MPM to LoadModule mod_cgi for
    prefork and mod_cgid for all other MPMs.

    Previously when combined with --enable-load-all-modules
    both modules were loaded and it was undefined
    which one actually handled cgi requests.

    Based on a patch by olli hauer <ohauer gmx.de>.


    Addition to r1652955: Use "=" in combination
    with "test" instead of "==".


    Fix indentation and tab use after r1652955.


Submitted By: olli hauer <ohauer gmx.de> 
Reviewed By: rjung, ylavic, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673909 13f79535-47bb-0310-9956-ffa450edef68

allow time to first byte (of response headers)
to be logged by mod_logio.  

mod_logio was just a conveninent place to do this 
w/o writing a new filter or complicating an existing 
important one.



Use 'unsigned int' in bitfield


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673904 13f79535-47bb-0310-9956-ffa450edef68

 
  *) mod_proxy_wstunnel: Avoid an empty response by failing with 502 (Bad
     Gateway) when no response is ever received from the backend.

Submitted By: jkaluza
Reviewde By: covener, ylavic, trawick




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673902 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Protect ENGINE_CTRL_CHIL_SET_FORKCHECK macro with a 
featue check for libressl.

Submitted by: Stuart Henderson <sthen openbsd.org>
Reviewed by: covener, trawick, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673900 13f79535-47bb-0310-9956-ffa450edef68

backends not recycling connections (disablereuse), including the default
reverse and forward proxies.

Submitted by: ylavic (and trawick for an old helper function)
Reviewed by: rjung, covener


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673896 13f79535-47bb-0310-9956-ffa450edef68

mod_buffer: Forward flushed input data immediately and avoid (unlikely)
access to freed memory.

Submitted by: ylavic, jailletc36
Reviewed by: covener, rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673871 13f79535-47bb-0310-9956-ffa450edef68

core: Add CGIPassAuth directive to control whether HTTP authorization
headers are passed to scripts as CGI variables.

PR: 56855
Reviewed by: rjung, ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673860 13f79535-47bb-0310-9956-ffa450edef68

Credit to guy who rediscovered, fixed, committed & merged: 100%


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671786 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1671417 13f79535-47bb-0310-9956-ffa450edef68

core_filters: restore/disable TCP_NOPUSH option after non-blocking sendfile.

CHANGES: follow up to r1669289.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670328 13f79535-47bb-0310-9956-ffa450edef68

core: If explicitly configured, use the KeepaliveTimeout value of the
virtual host which handled the latest request on the connection, or by
default the one of the first virtual host bound to the same IP:port.

For non-async MPMs, use either r->server's or c->base_server's value in
ap_process_http_sync_connection() depending on a new server_rec's flag
called keep_alive_timeout_set and determined at config time.

For event MPM, use a queue per timeout value, chaining the queues per
type (keepalive wrt KeepAliveTimeout, write completion wrt to Timeout)
so that maintenance can be done on all the queues from the head, and such
that insertions/maintenance remain in O(1).
A server config is created and pointing to the queue of each vhost at
post_config time, hence the config can be associated to the connection
state (cs) at post_read_request time (keep_alive_timeout_set is used to
determine r->server vs c->base_server here), and we can simply insert
with TO_QUEUE_INSERT(cs->sc->q, cs).  PR56226.

While at it, since each queue now embeds it own timeout and hence the
expiration_time of the cs has changed to a queue_timestamp (the time it
was queued), we can detect clock skews and expire entries immediatly if
the system is set (eg. far) in the past during runtime and we want to
avoid waiting for (eg.) centuries before the current logic kills them.
Any entry which is registered above now + q->timeout is concerned, and
is now cleaned from the queue when encountered.  PR57374.


core: Follow up to r1664071: comments on new keep_alive_timeout_set flag.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670326 13f79535-47bb-0310-9956-ffa450edef68

core: Initialize scoreboard's used optional functions on graceful restarts to
avoid a crash when relocation occurs.  PR 57177.


core: follow up to r1668532: CHANGES entry.

core: follow up to r1668532: always initialize optional_fn pointers in ap_create_scoreboard().
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670325 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_connect/wstunnel: If both client and backend sides get readable
at the same time, don't lose errors occuring while forwarding on the first
side when none occurs next on the other side, and abort.


CHANGES: Follow up to r1657636, clarify message.


mod_proxy_{connect,wstunnel}: follow up to r1657636.
Since rv is not used as an apr_status_t in the loop (it's logging is done by
proxy_{connect,wstunnel}_transfer() when necessary/relevent), use a boolean
instead to avoid the ugly ORs between APR error codes.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670324 13f79535-47bb-0310-9956-ffa450edef68

core: Add expression support to ErrorDocument. Switch from a fixed
sized 664 byte array per merge to a hash table.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670320 13f79535-47bb-0310-9956-ffa450edef68

Avoid a potential integer underflow in the lock timeout value sent back to a client. The answer to a LOCK request could be an extremly large integer if the time needed to lock the resource was longer that the requested timeout given in the LOCK request. In such a case, we now answer "Second-0".  PR55420
Submitted by: jailletc36
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1670319 13f79535-47bb-0310-9956-ffa450edef68

Retry ENOENT like ECONNREFUSED, but only near a server restart.

PR57685

Submitted By: Edward Lu
Committed By: covener



Submitted by: covener
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669559 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_http: Don't expect the backend to ack the "Connection: close" to
finally close those not meant to be kept alive by SetEnv proxy-nokeepalive
or force-proxy-request-1.0, and respond with 502 instead of 400 if its
Connection header is invalid.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669558 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy: use the original (non absolute) form of the request-line's URI
for requests embedded in CONNECT payloads used to connect SSL backends via
a ProxyRemote forward-proxy. PR 55892.

Submitted by: Hendrik Harms <hendrik.harms gmail com>
Reviewed  by: wrowe, ylavic
Committed by: ylavic


mod_proxy: follow up to r1665215: CHANGES entry.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669556 13f79535-47bb-0310-9956-ffa450edef68

A misplaced check for inflation limits prevented limiting relatively
small inputs.  PR56872

Submitted By: Edward Lu 
Committed By: covener



mod_deflate: follow up to r1619383.

deflate_in_filter():
- use inflated bytes per inflate() call to compute the total output bytes,
- check zlib errors before limits,
- add missing check_ratio() when asked to flush.

deflate_out_filter():
- check ratio after each inflate() call.


mod_deflate: follow up to r1619383 and r1619444: CHANGES entry.

CHANGES: follow up to r1662245: Add PR number.
Submitted by: covener, ylavic, ylavic, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1669555 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668880 13f79535-47bb-0310-9956-ffa450edef68

  *) SECURITY: CVE-2015-0253 (cve.mitre.org)
     core: Fix a crash introduced in with ErrorDocument 400 pointing
     to a local URL-path with the INCLUDES filter active, introduced
     in 2.4.11. PR 57531. [Yann Ylavic]


Submitted By: ylavic
Committed By: covener






git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668879 13f79535-47bb-0310-9956-ffa450edef68

Remove some instances where a RewriteBase must be specified

Previously, any time you used a relative substitution in 
per-directory/htaccess context, you needed to specify
a RewriteBase. But in case where the context document root 
and context prefix are known via e.g. mod_userdir
or mod_alias, and the substitution is under the context 
document root, we can determine the replacement automatically.

This makes htaccess files or config snippets a bit more
portable.





git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1668870 13f79535-47bb-0310-9956-ffa450edef68

mpm_event: follow up to r1538490, r1545736, r1604350, r1639614 and r1642868.
Clear and restore sbh in notify_suspend() and notify_resume() respectively.

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664365 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
a combination of certificate serialNumber and issuer as defined by
CertificateExactMatch in RFC4523.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664363 13f79535-47bb-0310-9956-ffa450edef68

  *) SECURITY: CVE-2015-0228 (cve.mitre.org)
     mod_lua: A maliciously crafted websockets PING after a script
     calls r:wsupgrade() can cause a child process crash.
     [Edward Lu <Chaosed0 gmail.com>]

Discovered by Guido Vranken <guidovranken gmail.com>

Submitted by: Edward Lu
Committed by: covener




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664118 13f79535-47bb-0310-9956-ffa450edef68

Fix bit-shifting of websockets frame fields that would yield wrong opcodes
when the FIN bit was set.  Results in PING not being recognized
by mod_lua.  PR57524

Submitted By: Edward Lu
Committed By: covener




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664117 13f79535-47bb-0310-9956-ffa450edef68

ab: Add missing longest request (100%) to CSV export. PR57614.

Submitted by: ylavic
Reviewed by: covener, minfrin


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663405 13f79535-47bb-0310-9956-ffa450edef68

mod_macro: Clear macros before initialization to avoid use-after-free
on startup or restart when the module is linked statically. PR 57525

Submitted by: apache.org tech.futurequest.net
Committed by: Yann Ylavic

Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663260 13f79535-47bb-0310-9956-ffa450edef68

mod_alias: Introduce expression parser support for Alias, ScriptAlias
and Redirect.


Use unsigned bit fields.


mod_alias: follow up to r1653941.
Fill empty APLOGNO().

Submitted by: minfrin, ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663259 13f79535-47bb-0310-9956-ffa450edef68

mod_ssl: Fix merge problem with SSLProtocol that made SSLProtocol ALL ignored
in virtualhost context (new version of r1653906 reverted by r1653993).

Submitted By: Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>
Committed/modified By: ylavic


Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663258 13f79535-47bb-0310-9956-ffa450edef68

   * mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
              (segfault flaw) PR 57334.

Submitted by: ylavic
Reviewed by: ylavic, wrowe, minfrin
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1662640 13f79535-47bb-0310-9956-ffa450edef68

mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
request attribute to the backend. The name is taken from
the SSL_PROTOCOL env var. Recent Tomcat versions will extract
it and provide it as a servlet request attribute named
"org.apache.tomcat.util.net.secure_protocol_version". 

The change is compatible with existing AJP13, because we forward
the protocol name as a normal named attribute, not with a new
byte abbreviated attribute name.

Submitted by: rjung
Reviewed by: rjung, ylavic, covener
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1662076 13f79535-47bb-0310-9956-ffa450edef68

core: Optimize string concatenation in expression
parser when evaluating a string expression.

We have a relatively small recursion limit of
about 10 operations. This is a compilation
limit (a define). It can be hit if many expr
vars or function calls are concatenated in an
expression that is evaluated as a string not as
a boolean.

The new optimization uses iteration instead of
recursion and is very similar to the
existing one, which optimizes consecutive
concatenations in node2 of the tree. The new
one optimizes consecutive concatenations in
node 1.

Submitted by: rjung
Reviewed by: rjung, ylavic, covener
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1662075 13f79535-47bb-0310-9956-ffa450edef68

   * acinclude.m4: Generate #LoadModule directive in default httpd.conf for
                   every --enable-mpms-shared. PR 53882.

Submitted by: olli hauer <ohauer gmx.de>, Yann Ylavic
Reviewed by: ylavic, rjung, jailletc36
Backported by: jailletc36

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1661848 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1661754 13f79535-47bb-0310-9956-ffa450edef68

as in r1517366, drop the severity in authz_groupfile when a require
didn't match but no real error was encountered. 

This individual 'require group' may not really dictate who gets in. PR55523 




git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1661749 13f79535-47bb-0310-9956-ffa450edef68